The data breach at toymaker VTech is getting more serious. On Tuesday, the company disclosed that in addition to the 4.9 million parent accounts accessed by hackers, nearly 6.4 million children profiles were also swept up in the breach, one of the largest targeting children.
The company said that a hacker accessed its "Learning Lodge" app store database, which allows customers to download new software for numerous VTech toys — many of which are aimed at young children.
"In total 4,854,209 customer [parent] accounts and 6,368,509 related kid profiles worldwide are affected," the company said. 2.2 million of the parent accounts and 2.9 million children's accounts were registered to customers in the United States.
Parent accounts included information such as name, mailing address, email address, IP address, download history and account credentials. Children's profiles only "include name, gender and birthdate," the company said.
Even so, name, gender and birthdate are more than enough to identify a child should that information be sold or posted publicly. It's also possible to link parents to their children using the breached records.
In this case, the alleged hacker — who contacted Vice's Motherboard and provided to a reporter information taken from the hack — has said that "nothing" will be done with the information, apart it being used to reveal the company's weaknesses. "Frankly, it makes me sick that I was able to get all this stuff,” the alleged hacker told Vice reporter Lorenzo Franceschi-Bicchierai. "VTech should have the book thrown at them.”
Vice's Motherboard, which was the first to alert VTech to the breach, has also reported that the hacker was able to access profile pictures of children as well as chat logs between kids and their parents. VTech acknowledged those reports but said it had not confirmed them, though it did say its security measures should have been stronger.
"Regretfully our database was not as secure as it should have been," the company said in a statement. "Upon discovering the breach, we immediately conducted a comprehensive check of the affected site and have taken thorough actions against future attacks."
Toymakers have bet big on connected and smart toys, and the incorporation of technology has prompted analysts to project this could be the industry's best year in a decade. Some items, including those made by VTech, are scaled down versions of full-featured smartwatches and tablets. Others incorporate voice-recognition technology, artificial intelligence and other technologies into traditional toys, making them more interactive.
Doing so, however, also means that these toys are collecting more data than ever from children. Companies looking at collecting that information must also convince parents that they are doing what they can to protect it.
The VTech breach exposes just how vulnerable that information can be, said Jim Steyer, executive director of the parent advocacy group Common Sense Media.
"This is a huge amount of personal data," Steyer said. "It shows parents, particularly at the holiday season, that your data is at risk, and there must be more regulation both from the industry and government."
When asked about the incident on Monday, the Federal Trade Commission declined to comment.